If we had a cyber war with China or Russia tomorrow, would they only attack our Pentagon information systems? Or would they attack our banks and power companies at the same time? I think the answer is obvious, and that is the point of this blog post. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, was passed in February to address this fact. The high level objectives:
- · develop a technology-neutral voluntary cybersecurity framework
- · promote and incentivize the adoption of cybersecurity practices
- · increase the volume, timeliness and quality of cyber threat information sharing
- · incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure
- · explore the use of existing regulation to promote cyber security
The Pentagon is required to harden and monitor their systems to an insane degree, but the federal government cannot force those same requirements on the private sector. So, a “voluntary” framework needs to be developed.
For this reason, I had the good fortune to be able spend last week on the UC campus in San Diego. NIST was hosting the third in a series of workshops, the point of which is to develop a cybersecurity framework for our nation’s critical infrastructure. NIST was empowered by EO 13636 to develop this framework.
NIST has since been hosting these workshops and inviting security professionals to participate in its development. It is exciting and encouraging to me to see how NIST handled this process. Every industry was able to participate and contribute. At the workshop last week, approximately 300 people showed up ranging from financial, power, and telecommunications industries to DoD and intelligence community representatives. These few hundred were broken into groups, and those groups were divided again into sub-groups. Then we all set to the task of writing the outline for this new framework. I found the approach so cool because the subgroups were small enough so that every person could be heard. The best ideas of a subgroup made it to the group level. The best group level ideas made it to the NIST review board. It was very organic, democratic, egalitarian. I was pretty impressed. The 4th workshop will be in Dallas in September and I’m looking forward to participating in that as well.
So far, the framework is still fairly open. It is based on five activities: Know, Prevent, Detect, Respond, and Recover, and uses a compendium of standards and controls from many industries. NIST intentionally avoided forcing 800-53 on them. We will see how the framework develops. This will make a good webcast topic for later this fall when it’s finally released. See you then!
Email me with any comments or questions
Thanks for reading!